// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of April 20, 2026
Signal Brief · Archived

Week of April 20, 2026

2026-04-20 — 2026-04-26 · 14 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of April 20, 2026, ColdRecon logged 14 public endpoint-security events from open-source reporting — 5 vuln disclosures, 5 incidents, 4 research pocs. Vendors in the record this week: Microsoft, Unisoc, CrowdStrike.

The Week's Public Record

Events

2026-04-26
vuln disclosure
Microsoft Entra Agent ID Flaw Enabled Tenant Takeover via Privilege EscalationCVE-2025-21395
A vulnerability in Microsoft Entra ID allowed an attacker to escalate privileges and potentially take over a tenant by abusing Service Principals. The flaw has been fully patched by Microsoft.
2026-04-26
vuln disclosure
Copy Fail: Universal Linux Local Privilege Escalation VulnerabilityCVE-2026-31431
A vulnerability in the Linux kernel, tracked as CVE-2026-31431, allows an unprivileged local user to escalate privileges to root. The flaw is easily exploitable and affects a wide range of Linux systems. It poses a significant risk to endpoint security by enabling attackers to gain full control over affected machines.
2026-04-26
research poc
Anthropic's Claude Mythos Preview AI Model Discovers Over 10,000 High/Critical Vulnerabilities in Open-Source SoftwareClaude Mythos Preview 0-Day Discovery
Anthropic's restricted AI model, Claude Mythos Preview, identified more than 10,000 high- or critical-severity vulnerabilities across critical open-source software in under two months. This demonstrates a significant advancement in AI-assisted offensive security research, potentially accelerating vulnerability discovery at an unprecedented scale.
2026-04-23
research poc
Unisoc UMS512 Secure Boot Bypass via SPL PatchingUnisocBypass
A proof-of-concept tool demonstrates bypassing Unisoc UMS512 (T618) firmware signature verification by patching the Secondary Program Loader (SPL) to disable RSA signature checks. The BootROM only verifies the SPL's SHA256 hash, allowing a modified SPL to be flashed, which then skips verification of subsequent boot stages. This enables persistent unsigned code execution on the device.
2026-04-22
incident
Trigona Ransomware Affiliates Deploy Custom Data Exfiltration ToolTrigona custom exfiltration tool
Trigona ransomware affiliates have been observed using a custom data exfiltration tool to streamline theft before encryption. The tool is designed to efficiently collect and transfer sensitive data from compromised endpoints, reducing reliance on generic utilities. This represents a notable shift in pre-ransomware tactics, as custom malware for exfiltration is uncommon.
2026-04-22
incident
North Korean APT HexagonalRodent Uses AI to Target Web3 Developers with Malicious Coding AssessmentsHexagonalRodent
Expel tracks a North Korean APT subgroup, HexagonalRodent, that targets Web3 developers with fake job offers and malicious coding assessments to steal cryptocurrency. The group uses generative AI tools like Cursor and ChatGPT to craft attacks and has exfiltrated up to $12M in crypto wallets over three months. Their malware includes BeaverTail, OtterCookie, and InvisibleFerret, delivered via booby-trapped VSCode tasks or backdoored code.
2026-04-22
incident
Bissa Scanner AI-Assisted Mass Exploitation and Credential Harvesting Operation ExposedBissa Scanner
An exposed server revealed a large-scale, AI-assisted exploitation operation named Bissa Scanner, which leveraged CVE-2025-55182 (React2Shell) to compromise over 900 victims and harvest credentials from tens of thousands of .env files. The operator used Claude Code and OpenClaw for workflow orchestration, targeting financial, cryptocurrency, and retail sectors for deeper post-compromise collection. The operation demonstrates a mature, modular pipeline for scanning, exploitation, credential validation, and alerting via Telegram bots.
2026-04-21
vuln disclosure
CrowdStrike LogScale Unauthenticated Path-Traversal Vulnerability Allows Arbitrary File ReadCVE-2026-40050
CrowdStrike disclosed a critical unauthenticated path-traversal vulnerability (CVE-2026-40050) in its LogScale platform. A remote attacker can exploit the flaw to read arbitrary files from the server's filesystem without authentication. The vendor issued an urgent security advisory.
2026-04-20
research poc
Beatrice.py Tool Patches x64 Binaries with Alternative Opcodes to Evade AV and YARA DetectionBeatrice.py
Beatrice.py is a Python tool that modifies machine code in x64 binaries by substituting assembly instructions with functionally equivalent alternative opcodes of the same size. It aims to evade signature-based detection such as YARA rules and some antivirus solutions without altering program behavior. The tool was tested against Windows Defender and Elastic YARA rules in April 2026, showing mixed but often successful evasion for various C2 payloads and tools like Mimikatz.
Microsoft · Elastic ↗ github.com (2026-04-20)
2026-04-20
incident
Vercel security breach originated from employee malware infection via third-party OAuth token compromiseVercel supply chain breach via infostealer and OAuth token abuse
An attacker compromised a Vercel employee's Google Workspace account through an OAuth token stolen from Context.ai, which was initially breached via Lumma Stealer malware disguised as Roblox cheats. The attacker then accessed Vercel internal environments and customer credentials. Vercel notified affected customers and published indicators of compromise.
Vercel · Context.ai ↗ cyberscoop.com (2026-04-20)
2026-04-20
research poc
LLM Agents Discover Vulnerabilities in Linux Kernel, Docker, and OpenSSLLLM-driven vulnerability discovery
Researchers used LLM-driven agents to automatically discover security vulnerabilities, including remote out-of-bounds writes in the Linux kernel and flaws in Docker and OpenSSL. This demonstrates a new automated approach to vulnerability research that could accelerate both defensive patching and offensive exploit development.
2026-04-20
incident
The Gentlemen Ransomware-as-a-Service Affiliate Deploys SystemBC Proxy MalwareThe Gentlemen RaaS
An affiliate of The Gentlemen RaaS deployed SystemBC proxy malware during an incident response engagement. The Gentlemen RaaS provides multi-OS lockers and EDR-killing tools, and has claimed over 320 victims, mostly in 2026. SystemBC established covert SOCKS5 tunnels and was found on over 1,570 victims, primarily organizations.
2026-04-20
vuln disclosure
CVE-2026-32202: Windows Shell Security Feature Bypass Exploited by APT28CVE-2026-32202
A zero-click authentication coercion vulnerability in Windows Shell, tracked as CVE-2026-32202, stems from an incomplete patch for a previous security feature bypass. The vulnerability is actively exploited by Russian APT28 to bypass Defender SmartScreen, enabling malware delivery without user interaction.
2026-04-20
vuln disclosure
Path Traversal Vulnerability in Tenable Quick Agent V2 and V3CVE-2025-27937
CVE-2025-27937 is a path traversal vulnerability in Tenable Quick Agent V2 and V3. An authenticated remote attacker can exploit it to read arbitrary files on the affected system. The vulnerability has a CVSS v4 base score of 7.1 (High).
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →